The first involves combining spamassassin local.cf rules for valid-looking & probably faked/non RFC 'undisclosed recipients' with low score values since no To is allowed afterall, then assign another higher score if not they don't appear to be internal users:

-Append __ to UNDISC_RECIPS / FAKED_UNDISC_RECIPS and remove the extra score x.x lines if you don't want them to have an effect on their own.
-Should probably find a better __MY_DOMAIN check that looks at trusted paths, since they could obviously fake the From field; but we won't extrapolate here, you have tons of other checks.
-I didn't test the above with spamassasin --lint so careful before taking that rule live in /opt/zimbra/conf/spamassassin 20_head_test.cf or local.cf
-There's && and, || or, ! nor as well as xor, xnor values as well.

x.x rundown:
If there is only one score parameter then that value is used all the time.
1st score applies when the Bayesian classifier and network tests are not in use.
2nd score applies when the Bayesian classifier is not in use, but the network tests are.
3rd score applies when the Bayesian classifier is in use, but network tests are not.
4th score applies when the Bayesian classifier and network tests are both in use.

As Jbrabander said, it's allowed per RFC to not have a To and only Bcc. But it is funny how spammers tend to use undisclosed more, and legitimate people at least To/CC themselves; if said spammers are smart they could just specify a bogus external To/CC value...